Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about how to deal with the virus in the linux host. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Problem phenomenon

The server has been sending out a large number of packets, taking up traffic and cpu, resulting in slow or even no response of the server, which is suspected to be caused by a virus.

Problem troubleshooting & solving process

Almost all viruses add scheduled tasks and services, all starting with crontab. The result of executing crontab-l directly may not be allowed at this time, so view the file directly.

Two suspicious scheduled tasks were detected. Since the cron.sh virus has been cleared before, only the kill.sh virus processing process is recorded here.

[root@zj-nms4 rc.d] # cat / etc/crontab

SHELL=/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin

MAILTO=root

HOME=/

# run-parts

01 * root run-parts / etc/cron.hourly

02 4 * root run-parts / etc/cron.daily

22 4 * 0 root run-parts / etc/cron.weekly

42 4 1 * * root run-parts / etc/cron.monthly

* / 3 * root / etc/cron.hourly/cron.sh

* / 3 * root / etc/cron.hourly/kill.sh

Comment out or delete the last two lines after vi / etc/crontab goes in

The contents of the kill.sh file point to the / lib/libkill.so file, which is disguised as a so file but is actually an executable file that can be viewed with file libkill.so

Kill.sh is actually a virus, but because it is guarded by a process, it will be created immediately even if it is deleted, so you have to find the process first.

Using top, it is found that the suwakbqdkn,pid of the suspicious process is 7480 (the ps command can no longer display information accurately, only top and lsof are accurate)

The process information is as follows. If you directly kill, processes and services with 10 characters will be randomly produced.

7480 root 19 0 21268 276 184 S 1.9 0.0 0:00.07 suwakbqdkn

Ps looks at the process. In fact, it is disguised as a whoami command. You will see that if you use ps instead of top to view the process, for example, ps-ef | grep suwakbqdkn cannot find the real information.

[root@zj-nms4 lib] # ps-ef | grep 7480

Root 7480 1 0 16:40? 00:00:00 whoami

Root 8482 26912 0 16:45 pts/2 00:00:00 grep 7480

Ls-l / proc/7480

Verify that the executable file is under / bin, not / usr/bin

At this time, you can use lsof-R | grep "/ bin" to see the result.

Add permissions to the following directories to prevent viruses from changing or adding files

Chattr + I / lib

Chattr + I / etc

Chattr + I / bin

Chattr + I / usr/bin

Chattr + I / tmp

Delete the original file of the virus and all the files generated

Chattr-I / etc; rm-rf / etc/cron.hourly/kill.sh; chattr + I / etc

Chattr-I / lib; rm-rf / lib/libkill.so; chattr + I / lib

Chattr-I / bin; rm-rf / bin/suwakbqdkn; chattr + I / bin

Chattr-I / tmp; rm-rf / tmp/gates.lod / tmp/moni.lod; chattr + I / tmp

Find the abnormal service and delete it

Chkconfig-- list views abnormal services with 10 characters

Turn it off and start.

Chkconfig suwakbqdkn off

Out of Service

Service suwakbqdkn stop

Delete a service

Chkconfig-del suwakbqdkn

At the same time, check whether the following path returns the suwakbqdkn service

Delete suwakbqdkn for all levels of new services under / etc/rc.d and confirm that there is no new content in rc.local

[root@zj-nms4 cron.hourly] # cd / etc/rc.d/

[root@zj-nms4 rc.d] # ll

Total 112

Drwxr-xr-x 2 root root 4096 03-04 13:57 init.d

-rwxr-xr-x 1 root root 2255 2009-07-04 rc

Drwxr-xr-x 2 root root 4096 03-04 14:49 rc0.d

Drwxr-xr-x 2 root root 4096 03-04 17:18 rc1.d

Drwxr-xr-x 2 root root 4096 03-04 17:18 rc2.d

Drwxr-xr-x 2 root root 4096 03-04 17:17 rc3.d

Drwxr-xr-x 2 root root 4096 03-04 17:19 rc4.d

Drwxr-xr-x 2 root root 4096 03-04 17:17 rc5.d

Drwxr-xr-x 2 root root 4096 03-04 14:55 rc6.d

-rwxr-xr-x 1 root root 220 2009-07-04 rc.local

-rwxr-xr-x 1 root root 28574 2013-06-24 rc.sysinit

Execute one line of statement when deleting

Chattr-I / etc; rm-rf suwakbqdkn; chattr + I / etc

Restore the following directory permissions, otherwise the operation of the system will be affected

Chattr-I / lib

Chattr-I / etc

Chattr-I / bin

Chattr-I / usr/bin

Chattr-I / tmp

After dealing with the virus, be sure to change the passwords of all users in the server, and strong passwords (numbers, letters, capitals, special symbols, etc.). Many of the reasons for the virus are that weak passwords are violently cracked.

Cguvljrkz 32164 1 root txt REG 8 619123 2683872 / usr/bin/cguvljrkzq (deleted)

Cguvljrkz 32167 1 root txt REG 8 619123 2683872 / usr/bin/cguvljrkzq (deleted)

Cguvljrkz 32170 1 root txt REG 8 619123 2683872 / usr/bin/cguvljrkzq (deleted)

Cguvljrkz 32173 1 root txt REG 8 619123 2683872 / usr/bin/cguvljrkzq (deleted)

Cguvljrkz 32174 1 root txt REG 8 619123 2683872 / usr/bin/cguvljrkzq (deleted)

This is how the virus handling process in the linux host shared by the editor is like. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.